tools

SecurityTrails Blog · Oct 26 · by Nahla Davies

Nmap on Windows: Installation and Usage Guide for Windows Users

Reading time: 9 minutes
Listen to this article

Available for Windows, Linux, macOS, and a range of other operating systems, Nmap is widely used to perform network scans, conduct security auditing, and find vulnerabilities in networks.

As the project’s official page explains, at the most basic level, Nmap allows you to quickly map the ports on your network, and do so without being detected.

This functionality is accessed through a well-structured set of Nmap commands which will be familiar to anyone who has worked with command-line network tools before. Commands can also be built into Nmap scripts to extend your capabilities even further.

Installing Nmap on Windows, and for that matter using it on Windows, is fairly straightforward. We’ll show you how to download Nmap, and how to install it. We’ll then take you through the most common use cases for Nmap, before showing you the official GUI alternative called ZeNmap.

Automate your Port Discovery Today Find open ports and boost your recon processes in a blink of an eye
with our fast and always available API

Installing Nmap on Windows

Installing Nmap on Windows is straightforward:

  1. The first step is to go to the official download page and download the latest stable version of Nmap.

NOTE: There are typically a number of different versions of Nmap available–the latest stable version, in addition to early-release betas that will offer extra features at the cost of some stability. Download the version you feel most comfortable with, which for most beginners will be the latest stable version.

Nmap Official Download Page

  1. Next, navigate to the location where the file is downloaded. If your Windows installation is fairly standard, this will be in your “Downloads” folder. You will see a file there called “Nmap-X.XX-setup”, or similar. If you can’t find the file, do a quick search for it.

  2. This file is an EXE–an executable. In order to use it, you will have to run it with administrator privileges. To do that, right-click the file and then click “run as administrator.”

  3. The installer will now run. A window will appear that will ask you to accept the end-user agreement. Click “I Agree” to do so.

  4. Next, the installer will ask you which components of Nmap you’d like to install. All of the components will be selected and installed by default. Unless you are experienced with the program and don’t need some of these components, go ahead and accept the proposed installation.

  5. Then the installer will ask you where you want to install Nmap. It will default to C:\Program Files (x86)\Nmap, but you can change this if you would like to. The important thing is that you know where Nmap is installed, because (as we’ll see shortly) you’ll need that information in order to call it from the command line.

  6. Click “Install”, and Nmap will start to install. This should be a pretty quick process, even on old hardware–Nmap is a small program, despite being so useful!

  7. You’ll then get confirmation that Nmap is installed.

Nmap Installation Process On Windows

Nmap Installation Process On Windows

If all went smoothly, you should now have a working version of Nmap on your computer.

Depending on your level of experience, however, you might be a little confused at this point. By default, Nmap is a command-line tool, and as such it doesn’t have an icon that appears in your programs menu.

If you are familiar with using the command line (or want to give it a go), you can proceed to the next section. If you want a graphical program (a GUI) for Nmap, take a look at the section on ZeNmap below–this program will provide a more familiar interface for novice users.

Running Nmap on Windows 10 - Usage Examples

Using Nmap on the Windows command line

As we’ve mentioned above, by default Nmap is used completely through the Windows command line, and this is how most people will use Nmap. If you are not familiar with this, you can either download ZeNmap (see below) or even use Nmap as an introduction to the Windows command line–it makes a great place to learn.

Nmap Cli Output On Windows

Here are the most common use cases for Nmap:

1. Detecting the version

A simple use case for Nmap is to check the version of Windows (or any other OS) you are running and to identify other technologies that are active on your system. This use is also a good example of how to invoke Nmap more generally.

To use Nmap, simply use the command “nmap”, followed by another command. To detect your current OS version, and also pull out some further information, use:

nmap -sV $target

You’ll receive a report back from the tool that gives details of your current OS. The -sV command here will also tell Nmap to check for other services which are running, and return that information as well.

2. Ping scanning

Next, let’s look at using Nmap to work with your network. A common use of Nmap is for running ping scans, which will identify all the IP addresses that are presently active on your network.

Nmap Ping Scan On Windows

Use this command:

nmap -sp 192.100.1.1/24

This action will return a hosts list on your networks. Use this list to perform further investigation (see below) of any IP addresses you are interested in.

NOTE: Nmap is a popular tool for ping scanning for a particular reason. It is able to perform these scans without sending packets of data to IP addresses. This means that it is very hard to detect whether Nmap has scanned a network.

3. Port scanning

Port scanning is similar to ping scanning but returns more information on a particular network. It’s also often a step that is performed prior to an Nmap vulnerability scan.

There are multiple ways of performing a port scan with Nmap. Here are the most common:

# sS TCP SYN scan
# sT TCP connect scan
# sU UDP scans
# sY SCTP INIT scan
# sN TCP NULL

All of these scans are slightly different. You can read about the intricacies of each scan in the Nmap official documentation, but the two that are the most important to know about are the following:

  • The TCP SYN scan, which is the most basic port scan here. This will give most users most of the information they need.

  • TCP NULL is an even sneakier scanning technique. By using a bug in the way that TCP works, this scan shows each port’s status even when a firewall is protecting them.

4. Host scanning

A host scan is similar to ping and port scanning but will return more detailed data on one specific host. You can scan using this:

# nmap -sp <target IP range>

Just write in the range of IP addresses you’d like to scan.

5. OS scanning

An OS scan is another popular command in Nmap. When you use this technique, Nmap will send a packet of data to a port. It will then conduct an analysis of the response it receives back. It will compare this response, in fact, to an operating systems database, and this will allow it to tell you which OS is being used on that port (most of the time, anyway).

Use this command to perform a scan:

nmap -O <target IP>

Output example:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-26 09:43 -03
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.25s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite
Aggressive OS guesses: Linux 3.8 (92%), Linux 4.4 (91%), Linux 2.6.32 (91%), Linux 2.6.32 or 3.10 (91%), Linux 3.5 (91%), Linux 4.2 (91%), Synology DiskStation Manager 5.1 (91%), WatchGuard Fireware 11.8 (91%), Linux 2.6.35 (90%), Linux 3.10 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 19 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.83 seconds

6. Scan popular ports

Sometimes, you just want some quick information on what is happening on your network. Nmap contains a variety of shortcuts to make common commands simple to execute, and the “top ports” command is one of them.

Run the following command:

nmap --top-ports 10 192.168.1.106

This will automatically scan the most popular ports for the given IP address, and return concise information on them. The number “10” here tells Nmap how many ports that you can scan. You can increase or decrease it as necessary.

7. File output

All of the scans and other commands above will return text, and by default, this will be displayed on your command line. You can easily output these text reports to a file, though. Just run:

-oN output.txt

With this command, you can specify the filename you want to write to. Similarly, you can output the same text to an XML file using this command:

-oX output.xml

8. Disable the DNS name resolution

This is a slightly more complex command that allows you to see the power of Nmap when in the hands of an advanced user. You can utilize Nmap to turn off reverse resolutions in DNS during scans. This is a popular way to tackle DNS server issues, and can also speed up your scans if you are using them on a larger-sized network. To do this:

# nmap -sp -n 192.100.1.1/24

Running ZeNmap on Windows

If you are not familiar with using the command line, or simply want a graphical interface for Nmap, take a look at ZeNmap, which is the official Nmap GUI.

ZeNmap is often packaged with Nmap itself, but you can download and install it separately from the Nmap download page. You can also learn more about using ZeNmap from the main page or the User’s Guide.

ZeNmap On Windows

Conclusion

Nmap is a simple yet powerful network reconnaissance and management tool. It allows you to quickly and easily scan your network–or others that you have permission to work on–via a variety of different scans and other techniques.

Installing and using Nmap on Windows is straightforward, and you can get started with the tool quickly. And once you’re familiar with it, ZeNmap provides advanced features that make the program even more effective.

Nahla Davies Blog Author
NAHLA DAVIES

Nahla Davies is a software developer and a SecurityTrails tech writer. Before devoting her work full time to technical writing, she managed—among other intriguing things—to serve as a lead programmer at an Inc. 5,000 experiential branding organization whose clients include Samsung, Time Warner, Netflix, and Sony.